Introduction

Intune provides administrators with the option to selective wipe, full wipe, remote lock, and passcode reset capabilities for mobile devices being managed by Intune. As mobiles usually store sensitive corporate data and provide access to many corporate resources, if a device is lost or stolen, we can issue a remote device wipe command from Intune’s administrator console. Also, users can issue their own remote device wipe commands from Intune’s company portal app. To protect devices we can issue:

A full wipe to restore the device to its factory settings (identical to what ActiveSync has been offering for years);

A selective wipe to remove only company data;

A remote lock to help secure a device that might be lost;

Reset the device passcode.

Remote Wipe

When we want to secure a lost device or when we retire a device from active use, it is typical to issue a wipe command to the device. With Intune there are two types of wipe:

Full Wipe restores the device to its factory defaults. This removes all company and user data and settings. We can do a full wipe on Windows Phone, iOS and Android devices;

Selective Wipe only removes company data. The following table describes by platform what data is removed and the effect on data that remains on the device after a selective wipe.

Content Type

Windows 8.1 (enrolled as a mobile device) and Windows RT 8.1

Windows RT

Windows Phone 8 and 8.1

iOS

Android

Android Samsung KNOX

Company apps and associated data installed by Intune

Files protected by EFS will have their key revoked and the user will not be able to open the files.

Will not remove company apps.

Apps originally installed through the company portal are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

App data from Microsoft apps that use mobile app management is removed. The app is not removed.

Apps and data remain installed.

App data from apps that use mobile app management is removed. The app is not removed.

Apps are uninstalled.

App data from apps that use mobile app management is removed. The app is not removed.

Settings

Configurations that were set by Intune policy are no longer enforced and users can change the settings.

Wi-Fi and VPN profile settings

Removed

Removed

Not supported

Removed

Not supported

Not supported

Certificate profile settings

Certificates removed and revoked.

Certificates removed and revoked.

Not supported

Certificates removed and revoked.

Certificates revoked, but not removed.

Certificates revoked, but not removed.

Management Agent

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

Device Administrator privilege is revoked.

Email

Removes email that is EFS enabled which includes the Mail app for Windows email and attachments.

Not supported

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Not supported

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Click All Direct Managed Devices for devices enrolled with Intune or All Exchange ActiveSync Managed Devices. We can also navigate to a device by user. Click All Users and on the properties page for the user, click the Devices tab and then click the name of the mobile device that we want to wipe:

Figure 6

In the list, we select the device or devices that we want to reset, and then on the taskbar click Remote Tasks and then Passcode Reset:

Figure 7

Remote Lock

If a user loses their device we can lock it remotely. The table below lists how remote lock works on different mobile platforms:

Platform

Remote Lock

iOS

Supported

Android

Supported

Windows Phone 8 and 8.1

Supported

Windows RT 8.1 and Windows RT

Supported if the current user of the device is the same user who enrolled the device.

Windows 8.1

Supported if the current user of the device is the same user who enrolled the device.